GitHub Pages Auto Deploy
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If added to a repository, the workflow can publish that repository's website through GitHub Pages.
The suggested GitHub Actions workflow grants permission to publish to GitHub Pages and request an identity token. These permissions are expected for GitHub Pages deployment, but they are still account/repository authority.
permissions: contents: read pages: write id-token: write
Use the workflow only in repositories you intend to publish, keep branch protections appropriate, and review the GitHub Pages permissions before committing it.
Website changes can go live automatically after a matching push.
The workflow is designed to run automatically on pushes to the master branch when website files or the workflow change. That is purpose-aligned for auto-deploy, but a mistaken push could be published.
on:
push:
branches: [ master ]
paths:
- 'website/**'
- '.github/workflows/deploy-pages.yml'Confirm the branch and path filters match your release process, and consider pull requests or branch protection for sites where accidental publication would matter.
If the optional snippet is used, future builds may run whatever versions of those npm packages are current at install time.
The optional optimization example installs npm packages globally in CI without pinning exact versions. This is a common build pattern, but it introduces external package supply-chain reliance.
npm install -g html-minifier clean-css-cli uglify-js
Pin package versions or use a reviewed project lockfile for production workflows.